How many permission do you think a simple flashlight app would need? Access to the phone’s LED flash, the internet to show advertisement, and lock screen access should be enough to keep the app running without problems, however, a post on the Decoded Avast, has found that the average number of permissions requested by a flashlight app is 25.
Flashlight capability in an Android phone is now native and doesn’t need a specific app to use the smartphone as a torch. However, there are thousands of flashlight apps for Android in the existence of which Avast examined 937, “that either once made it on the store or are still available there”.
Avast notes that while most of these apps are clean with only seven are tagged as malicious or potentially unwanted, the sheer number of permissions required for most of these apps is alarming. The report says that 408 flashlight apps asked for 10 permission, “which seem fairly reasonable” whereas 262 other such apps asked for 50 permissions or more. Avast notes that 77 of these apps are still active today.
The report lists down some apps which have been downloaded more than millions of times and they ask for around 70 permission. Some of these permissions asked by these flashlight apps include– read contact lists, record audio, write contacts, access location, call phone, receive SMS, answer phone calls, download without notification, kill background processes and more.
The post says, “It’s important to keep in mind that just because an app requests these permissions does not make it malicious.” However, the report also mentions an apklab.io report underlining the things an app is capable of doing if users grant these permissions.
Why do they need so many permissions?
Avast says, “In addition to displaying ads, there are other, less visual ways, that allow partners to make money: gathering data.” The report cross-references the information in apklab.io to find that a total of 208 apps request these permissions and most of these are a different version of the same app.
The report also finds out that there are five different developer groups behind these apps, according to the Developer IDs shown on Google Play Store but Avast claims that at least some of them are the same, who are just using a different Developer ID.
“This appears to be a developer or group of developers with a monetization system, harvesting users’ data and sharing the data with partners,” says Avast.